Re: FTBFS if -Werror=format-security flag is used
On Tue, Dec 10, 2013 at 09:44:43PM +0100, Mattias Ellert wrote: tis 2013-12-10 klockan 12:18 -0500 skrev Darryl L. Pierce: Of all the packages I maintain, only one was affected by this issue. That one was easily solvable by deleting the bundled swig generated code in the sources and have the build regenerate it with a newer swig version that doesn't produce broken code. Our project isn't bundling any Swig generated code. It's generated as a part of the build process. Try not to make assumptions in future. Where did I make this assumption? I quoted your assumption: Don't use swig as an excuse not to fix things. But you deleted that line when replying. The description of my experience was supposed to tell something about swig. That older versions had problems but newer does not. No reflection on your project was intended whatsoever. Your experience is nothing like mine. We don't bundle any swig generated code in the sources. As I said, all of the Swig generated code is generated by swig is generated _as part of the build process_. None of it is bundled with our sources. -- Darryl L. Pierce mcpie...@gmail.com http://mcpierce.fedorapeople.org/ What do you care what people think, Mr. Feynman? pgpVg1Qf1kuQK.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/11/2013 11:00 PM, Kevin Kofler wrote: Brendan Jones wrote: What is the best way to handle this case: qWarning(QObject::tr(Client name '%1' occupied.).arg(name).toUtf8()); something like, or can I make it simpler: qWarning(%s,qPrintable(QObject::tr(Client name '%1' occupied.).arg(name).toUtf8())); Use one of: qWarning() QObject::tr(Client name '%1' occupied.).arg(name); or: qWarning(%s, QObject::tr(Client name '%1' occupied.).arg(name).toLocal8Bit().data()); Note that hardcoding toUtf8() is also a bad idea here, the right encoding to use is toLocal8Bit(), or this will print junk in non-UTF-8 locales. (In our default UTF-8 locales, it will make no difference.) Kevin Kofler Thanks! -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Brendan Jones wrote: What is the best way to handle this case: qWarning(QObject::tr(Client name '%1' occupied.).arg(name).toUtf8()); something like, or can I make it simpler: qWarning(%s,qPrintable(QObject::tr(Client name '%1' occupied.).arg(name).toUtf8())); Use one of: qWarning() QObject::tr(Client name '%1' occupied.).arg(name); or: qWarning(%s, QObject::tr(Client name '%1' occupied.).arg(name).toLocal8Bit().data()); Note that hardcoding toUtf8() is also a bad idea here, the right encoding to use is toLocal8Bit(), or this will print junk in non-UTF-8 locales. (In our default UTF-8 locales, it will make no difference.) Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Tue, Dec 10, 2013 at 3:00 AM, Kevin Kofler kevin.kof...@chello.at wrote: [...] and removes functionality No it does not. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
drago01 wrote: On Tue, Dec 10, 2013 at 3:00 AM, Kevin Kofler kevin.kof...@chello.at wrote: [...] and removes functionality No it does not. Yes, it does, see my example: | a printf wrapper for logging which adds a timestamp in front of the | format string, e.g. | log(processed %d items, foo); | which would be printed as | 2013-12-06 19:00:00: processed 123 items | to some logfile (using vfprintf with a format string like | 2013-12-06 19:00:00: processed %d items | concatenated at runtime). -Werror=format-security removes the functionality of building format strings at runtime, and there are legitimate uses for such functionality. And it has been mentioned elsewhere in this thread that GCC doesn't even recognize cases where the format string is constant, but not a string literal, where it is picked from a list of constant formats, etc. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Tue, Dec 10, 2013 at 3:50 PM, Kevin Kofler kevin.kof...@chello.at wrote: drago01 wrote: On Tue, Dec 10, 2013 at 3:00 AM, Kevin Kofler kevin.kof...@chello.at wrote: [...] and removes functionality No it does not. Yes, it does, see my example: | a printf wrapper for logging which adds a timestamp in front of the | format string, e.g. | log(processed %d items, foo); | which would be printed as | 2013-12-06 19:00:00: processed 123 items | to some logfile (using vfprintf with a format string like | 2013-12-06 19:00:00: processed %d items | concatenated at runtime). -Werror=format-security removes the functionality of building format strings at runtime, and there are legitimate uses for such functionality. (info gcc) says that format-security only applies to calls where the format string is not a string literal _and there are no format arguments_, which is not the case for the wrapper above. Is the documentation incorrect? Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/10/2013 04:35 PM, Miloslav Trmač wrote: On Tue, Dec 10, 2013 at 3:50 PM, Kevin Kofler kevin.kof...@chello.at wrote: drago01 wrote: On Tue, Dec 10, 2013 at 3:00 AM, Kevin Kofler kevin.kof...@chello.at -Werror=format-security removes the functionality of building format strings at runtime, and there are legitimate uses for such functionality. (info gcc) says that format-security only applies to calls where the format string is not a string literal _and there are no format arguments_, which is not the case for the wrapper above. Is the documentation incorrect? The documentation seems right in the sense as GCC seems to be doing what the documentation tells. The problems are elsewhere: 1. There are legitimate use-cases where GCC's assumption does not hold, .e.g.: #include stdio.h void foo( int a ) { char hello0[] = hello0; char hello1[] = hello1; char *ptr; switch (a % 2) { case 0: ptr = hello0; break; case 1: ptr = hello1; break; } printf( ptr ); } = The warning GCC issues is plain wrong. = -Werror=format-security removes the functionality of assigning pointers to format strings even if they are constant. 2. Raising warnings to errors (-Werror) at distribution scope is a silly undertaking in general. -Werror is a debugging/development/testing aid aimed at developers but is entirely inadequate at distribution (or package scope). Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Once upon a time, Ralf Corsepius rc040...@freenet.de said: printf( ptr ); Aside from everything else, using the printf() family of functions when you don't want formatted output is bad practice. There's really no excuse for calling printf(foo); if you don't want formatted output (i.e. you don't pass a format string with additionalarguments to be converted), then use the correct function for the job such as puts(foo). -- Chris Adams li...@cmadams.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Once upon a time, Chris Adams li...@cmadams.net said: Aside from everything else, using the printf() family of functions when you don't want formatted output is bad practice. There's really no excuse for calling printf(foo); if you don't want formatted output (i.e. you don't pass a format string with additionalarguments to be converted), then use the correct function for the job such as puts(foo). And before anybody jumps on it, I meant fputs(foo, stdout) (I forgot puts() appends a newline). -- Chris Adams li...@cmadams.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Sat, Dec 07, 2013 at 07:12:03AM +0100, Mattias Ellert wrote: fre 2013-12-06 klockan 15:06 -0500 skrev Darryl L. Pierce: Additionally, some code (like my package, qpid-cpp) uses code that's generated by another app like Swig. We have no control over what that code is. So enabling this as an error would be unresolvable by our project and we'd be blocked until the Swig team decided to change their code generation bits. Don't use swig as an excuse not to fix things. Sorry, where am I using any excuses? Of all the packages I maintain, only one was affected by this issue. That one was easily solvable by deleting the bundled swig generated code in the sources and have the build regenerate it with a newer swig version that doesn't produce broken code. Our project isn't bundling any Swig generated code. It's generated as a part of the build process. Try not to make assumptions in future. -- Darryl L. Pierce mcpie...@gmail.com http://mcpierce.fedorapeople.org/ What do you care what people think, Mr. Feynman? pgpuIThY41QMB.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, Dec 06, 2013 at 03:58:21PM -0500, David Malcolm wrote: On Fri, 2013-12-06 at 15:06 -0500, Darryl L. Pierce wrote: Additionally, some code (like my package, qpid-cpp) uses code that's generated by another app like Swig. We have no control over what that code is. So enabling this as an error would be unresolvable by our project and we'd be blocked until the Swig team decided to change their code generation bits. So have you filed a bug against swig yet? ;) [ideally, attaching an example of the problematic generated code, and the inputs] I have not, no. I wanted to see what's going to happen WRT this proposal first. -- Darryl L. Pierce mcpie...@gmail.com http://mcpierce.fedorapeople.org/ What do you care what people think, Mr. Feynman? pgpsUOb8_Ihb8.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
1. There are legitimate use-cases where GCC's assumption does not hold, .e.g.: #include stdio.h void foo( int a ) { char hello0[] = hello0; foo.c line 5: warning: 'const' omitted char hello1[] = hello1; foo.c line 6: warning: 'const' omitted char *ptr; foo.c line 8: warning: 'const' omitted switch (a % 2) { case 0: ptr = hello0; break; case 1: ptr = hello1; break; } printf( ptr ); } = The warning GCC issues is plain wrong. = -Werror=format-security removes the functionality of assigning pointers to format strings even if they are constant. The example does not support this argument because the example omitted the 'const' (three places.) gcc-4.[89] isn't advanced enough to distinguish, but the example does not match the argument. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 08:11 PM, Kevin Kofler wrote: Adam Jackson wrote: On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote: QString line; line.fill( '-', 60 ); qDebug( line.ascii() ); As you can see, the format string being passed here is provably constant. So fix the compiler. I don't think GCC will ever be able to prove that it is a constant. It would at least have to do intermodule inlining on the linked qstring.o to do that, which means qt3 would have to use the LTO support. Even then, I wouldn't count on it. Plus, if this construct were found in application code rather than in qt3 itself, GCC would even have to do the intermodule inlining on libqt-mt, which would also have negative consequences on binary compatibility. But knowing the contract of QString (Qt 3's in this case, but it's the same in Qt 4 and Qt 5), it's trivial for a human to prove it. Kevin Kofler What is the best way to handle this case: qWarning(QObject::tr(Client name '%1' occupied.).arg(name).toUtf8()); something like, or can I make it simpler: qWarning(%s,qPrintable(QObject::tr(Client name '%1' occupied.).arg(name).toUtf8())); regards Brendan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
tis 2013-12-10 klockan 12:18 -0500 skrev Darryl L. Pierce: Of all the packages I maintain, only one was affected by this issue. That one was easily solvable by deleting the bundled swig generated code in the sources and have the build regenerate it with a newer swig version that doesn't produce broken code. Our project isn't bundling any Swig generated code. It's generated as a part of the build process. Try not to make assumptions in future. Where did I make this assumption? The description of my experience was supposed to tell something about swig. That older versions had problems but newer does not. No reflection on your project was intended whatsoever. Mattias smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 09:21 AM, Ralf Corsepius wrote: printf(string) is legitimate C, forcing printf(%s, string) is just silly. My apologies for being repetitive, but the original point is that printf(string) is insecure unless you can guarantee that you control 'string' now and forever. Also, %s is the format for printing strings, so I just can't agree that coding printf(%s, string) is silly. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Sun, 2013-12-08 at 01:17 +0100, Kevin Kofler wrote: Michael scherer wrote: There is enough software not building anymore and dropped after mass rebuild to show that such problem are not really so uncommon. … the difference is that in this case, the offending code is actually perfectly compliant to the C or C++ standard, and rejecting it is a violation of the relevant standard (in addition to being backwards- incompatible). Allow me to suggest something that really shouldn't be controversial, but probably is, because this is the internet: standards compliance for its own sake is not actually worthwhile. - ajax -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/09/2013 03:33 PM, Przemek Klosowski wrote: On 12/06/2013 09:21 AM, Ralf Corsepius wrote: printf(string) is legitimate C, forcing printf(%s, string) is just silly. My apologies for being repetitive, but the original point is that printf(string) is insecure unless you can guarantee that you control 'string' now and forever. Also, %s is the format for printing strings, so I just can't agree that coding printf(%s, string) is silly. Silly is not the right word. printf(%s, string) is inefficient. In this case, it would be better to use puts/fputs. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Mon, 2013-12-09 at 15:59 -0700, Rich Megginson wrote: On 12/09/2013 03:33 PM, Przemek Klosowski wrote: On 12/06/2013 09:21 AM, Ralf Corsepius wrote: printf(string) is legitimate C, forcing printf(%s, string) is just silly. My apologies for being repetitive, but the original point is that printf(string) is insecure unless you can guarantee that you control 'string' now and forever. Also, %s is the format for printing strings, so I just can't agree that coding printf(%s, string) is silly. Silly is not the right word. printf(%s, string) is inefficient. In this case, it would be better to use puts/fputs. unless something has changed recently fputs and puts just like gets and fgets have been deprecated and are discouraged due to potential security issues. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 10.12.2013 00:01, Les Howell wrote: On Mon, 2013-12-09 at 15:59 -0700, Rich Megginson wrote: On 12/09/2013 03:33 PM, Przemek Klosowski wrote: On 12/06/2013 09:21 AM, Ralf Corsepius wrote: printf(string) is legitimate C, forcing printf(%s, string) is just silly. My apologies for being repetitive, but the original point is that printf(string) is insecure unless you can guarantee that you control 'string' now and forever. Also, %s is the format for printing strings, so I just can't agree that coding printf(%s, string) is silly. Silly is not the right word. printf(%s, string) is inefficient. In this case, it would be better to use puts/fputs. unless something has changed recently fputs and puts just like gets and fgets have been deprecated and are discouraged due to potential security issues. Something must have changed. GCC uses puts instead of printf in some cases. Please, see below: $ cat p.c #include stdio.h int main() { printf(Hello world!\n); return 0; } $ gcc -S p.c $ cat p.s .file p.c .section.rodata .LC0: .string Hello world! .text .globl main .type main, @function main: .LFB0: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq%rsp, %rbp .cfi_def_cfa_register 6 movl$.LC0, %edi callputs movl$0, %eax popq%rbp .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE0: .size main, .-main .ident GCC: (GNU) 4.8.2 20131017 (Red Hat 4.8.2-1) .section.note.GNU-stack,,@progbits Mateusz Marzantowicz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 09/12/13 23:01, Les Howell wrote: unless something has changed recently fputs and puts just like gets and fgets have been deprecated and are discouraged due to potential security issues. Nonsense. The reason gets is dangerous is because it doesn't take a buffer size so will continue reading until it sees a newline even if it has long since overflowed the buffer - there is literally no way to use it safely unless you can guarantee the maximum length of a line in the input stream. That does not apply to fgets, which takes a buffer length and is therefore safe as it will not overflow the buffer. It also doesn't apply to put or fputs, which are output routines so read from the buffer rather than writing to it, stopping at a nul. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Les Howell wrote: printf(%s, string) is inefficient. In this case, it would be better to use puts/fputs. unless something has changed recently fputs and puts just like gets and fgets have been deprecated and are discouraged due to potential security issues. gets is horribly insecure because it doesn't care how long the buffer it's writing to is. fgets is better because it has a size parameter, but you have to take care to pass the correct size to it. It's more risky than a real array with bounds checking, but it's about as secure as it gets in the standard C library. puts and fputs aren't any more dangerous than any other handling of null-terminated strings. There is definitely no security to be gained by using printf instead of puts or fputs. Björn Persson signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Adam Jackson wrote: Allow me to suggest something that really shouldn't be controversial, but probably is, because this is the internet: standards compliance for its own sake is not actually worthwhile. Tell that to the GCC (especially g++) developers who keep breaking backwards compatibility in the name of standards compliance. ;-) The reason I don't like this proposed -Werror=format-security change is that it breaks compatibility and removes functionality, not just standards compliance for the sake of it. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Mon, Dec 09, 2013 at 03:01:55PM -0800, Les Howell wrote: unless something has changed recently fputs and puts just like gets and fgets have been deprecated and are discouraged due to potential security issues. That is wrong. Only gets is deprecated (removed in C11, obsolescent in POSIX 2008, etc.), because it fills in a buffer without telling the library the size of the buffer, so it is pretty much always a security issue to use gets. All other functions you've listed aren't deprecated at all. Jakub -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Michael scherer wrote: That's already part of the life of packagers. For example, suddenly, gcc decide to be stricter and suddenly, some VCS written in C++ decide to not compile anymore, so you have to spend 1 full day just to make it compile. ( of course, totally fictious example that didn't happen to me several years ago ). That's bad enough and I already complain about that (IMHO backwards compatibility should go over strict standards compliance), but… There is enough software not building anymore and dropped after mass rebuild to show that such problem are not really so uncommon. … the difference is that in this case, the offending code is actually perfectly compliant to the C or C++ standard, and rejecting it is a violation of the relevant standard (in addition to being backwards- incompatible). Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 07:43 PM, Jan Lieskovsky wrote: From: Ralf Corsepius Would you mind to explain why you guys are putting such an emphasize on -Wformat-security? Some possible ways how to look at it: * because when all reported packages are patched, it would remove one whole class of security flaws, Iff the tools being utilized were reliable and if the findings are fixed by skilled people, who really understand what they are doing. Both does NOT APPLY in Fedora. Fedora/RH's GCC produces false diagnoses and the average Fedora packager is not an experienced C-developer. = Feel free to apply -W if you feel like it, but do not use -Werror. Besides this: Appending -Werror to CFLAGS breaks configure scripts, which are applying compile-checks, to destinguish a system features. The fact nobody so far seems to be aware about this seriously worries me. Sure, there are some serious cases, but ... there are many more further spread issues in C/C++-sources which people have been ignoring ever since Fedora and RH Linux distros exist. If we did (as you said), it shouldn't be used as an excuse / argument for continuing doing so. One example: Go after type-size or with uninitialized variables issues. You'd be surprized how many packages are having serious issues with this, how difficult fixing these issues can be on occasion. The fatal trap lurking inside is 100% of all fixes appear to be trivial, while a small percentage actually isn't. Finding these is challenging to experienced coders/developers and definitely far beyond the skills of an average Fedora packager. IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*] Yeah, a vulnerability - So what? I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs, defective SELinux-configurations and systemd are much severe, not worth mentioning those caused by e.g. dirty usage of type-sizes in C-code. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Am 06.12.2013 10:37, schrieb Ralf Corsepius: IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*] Yeah, a vulnerability - So what? I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs how should TmpOnTmpfs cause a vulerability? the opposite is true signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote: On 12/05/2013 07:43 PM, Jan Lieskovsky wrote: From: Ralf Corsepius Would you mind to explain why you guys are putting such an emphasize on -Wformat-security? Some possible ways how to look at it: * because when all reported packages are patched, it would remove one whole class of security flaws, Iff the tools being utilized were reliable and if the findings are fixed by skilled people, who really understand what they are doing. Both does NOT APPLY in Fedora. Fedora/RH's GCC produces false diagnoses and the average Fedora packager is not an experienced C-developer. The intent is not for Fedora packagers to patch problems downstream, it is for them to report bugs upstream and have the problems fixed there. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Am 06.12.2013 11:30, schrieb Adam Williamson: On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote: On 12/05/2013 07:43 PM, Jan Lieskovsky wrote: From: Ralf Corsepius Would you mind to explain why you guys are putting such an emphasize on -Wformat-security? Some possible ways how to look at it: * because when all reported packages are patched, it would remove one whole class of security flaws, Iff the tools being utilized were reliable and if the findings are fixed by skilled people, who really understand what they are doing. Both does NOT APPLY in Fedora. Fedora/RH's GCC produces false diagnoses and the average Fedora packager is not an experienced C-developer. The intent is not for Fedora packagers to patch problems downstream, it is for them to report bugs upstream and have the problems fixed there that's fine and a perfect solution if it happens in a timly manner but what is the plan if this does not work out for a unknown number of packages because upstream is not willing or able to fix it or only in a later release giving that the package is not buildable at all it should at least exists a clear rule to overwrite the flag for such cases because not buildable with -Werror=format-security should not result in throw a package out of the distribution or hold back a update which may fix a *real* security relevant bug but does not build signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/13 at 11:57am, Reindl Harald wrote: but what is the plan if this does not work out for a unknown number of packages because upstream is not willing or able to fix it or only in a later release giving that the package is not buildable at all Contingency mechanism: Revert changes to redhat-rpm-config package and do a mass build. https://fedoraproject.org/wiki/Changes/FormatSecurity#Contingency_Plan There is still plenty of time left before this flag is even enabled in rawhide configuration by default. https://fedorahosted.org/fesco/ticket/1185#comment:14 ... This does not mean that you can slack off (kidding). Let me know if you want some help with the patches. -- Dhiru -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 11:30 AM, Adam Williamson wrote: On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote: On 12/05/2013 07:43 PM, Jan Lieskovsky wrote: From: Ralf Corsepius Would you mind to explain why you guys are putting such an emphasize on -Wformat-security? Some possible ways how to look at it: * because when all reported packages are patched, it would remove one whole class of security flaws, Iff the tools being utilized were reliable and if the findings are fixed by skilled people, who really understand what they are doing. Both does NOT APPLY in Fedora. Fedora/RH's GCC produces false diagnoses and the average Fedora packager is not an experienced C-developer. The intent is not for Fedora packagers to patch problems downstream, it is for them to report bugs upstream and have the problems fixed there. What world are you living in? gcc fixes have always been fixed in Fedora first. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 12:25 PM, Brendan Jones wrote: On 12/06/2013 11:30 AM, Adam Williamson wrote: On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote: On 12/05/2013 07:43 PM, Jan Lieskovsky wrote: From: Ralf Corsepius Would you mind to explain why you guys are putting such an emphasize on -Wformat-security? Some possible ways how to look at it: * because when all reported packages are patched, it would remove one whole class of security flaws, Iff the tools being utilized were reliable and if the findings are fixed by skilled people, who really understand what they are doing. Both does NOT APPLY in Fedora. Fedora/RH's GCC produces false diagnoses and the average Fedora packager is not an experienced C-developer. The intent is not for Fedora packagers to patch problems downstream, it is for them to report bugs upstream and have the problems fixed there. What world are you living in? gcc fixes have always been fixed in Fedora first. Please ignore all my replies in this thread. I am just busy and annoyed. This came at the wrong time. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/04/13 at 07:10pm, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Original Message Subject: [Bug 1037125] hydrogen FTBFS if -Werror=format-security flag is https://bugzilla.redhat.com/show_bug.cgi?id=1037125 Hi Brendan, Can you *really* pass a QByteArray object directly to printf (and similar functions)? I have attached a patch to fix this FTBFS bug. I can't say if the fix is right (I don't know the code in question). Please give it a thought. ... I had originally planned on submitting patches too but I got caught up in a new project of mine. -- Dhiru diff --git a/libs/hydrogen/src/object.cpp b/libs/hydrogen/src/object.cpp index a75be58..3e3815d 100644 --- a/libs/hydrogen/src/object.cpp +++ b/libs/hydrogen/src/object.cpp @@ -239,9 +239,9 @@ void* loggerThread_func( void* param ) QString tmpString; for( it = last = queue.begin() ; it != queue.end() ; ++it ) { last = it; - printf( it-toLocal8Bit() ); + printf( %s, it-toLocal8Bit().data() ); if( pLogFile ) { - fprintf( pLogFile, it-toLocal8Bit() ); + fprintf( pLogFile, %s, it-toLocal8Bit().data() ); fflush( pLogFile ); } } -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 12:59 PM, Dhiru Kholia wrote: On 12/04/13 at 07:10pm, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Original Message Subject: [Bug 1037125] hydrogen FTBFS if -Werror=format-security flag is https://bugzilla.redhat.com/show_bug.cgi?id=1037125 Hi Brendan, Can you *really* pass a QByteArray object directly to printf (and similar functions)? I have attached a patch to fix this FTBFS bug. I can't say if the fix is right (I don't know the code in question). Please give it a thought. ... I had originally planned on submitting patches too but I got caught up in a new project of mine. -- Dhiru Point taken. 10 FTBS's just makes my brain explode. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 12:59 PM, Dhiru Kholia wrote: Can you *really* pass a QByteArray object directly to printf (and similar functions)? Yes, as the format string argument, because the user-defined conversion comparison operator to const char * kicks in. -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 01:26 PM, Florian Weimer wrote: On 12/06/2013 12:59 PM, Dhiru Kholia wrote: Can you *really* pass a QByteArray object directly to printf (and similar functions)? Yes, as the format string argument, because the user-defined conversion comparison operator to const char * kicks in. Eh, conversion operator. (I'm adding an RPM version type to PostgreSQL right now, with proper comparison operators, hence the confusion.) -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 08:27 PM, Kevin Kofler wrote: The vast majority of those warnings are actually false positives, not actual security issues. Putting my upstream hat on, if asked to fix such a false positive, I'd do one of: (a) close the bug as INVALID/NOTABUG/WONTFIX or (b) hardcode -Wno-error=format-security -Wno-format-security in my build setup and close the bug as FIXED. They are potential security issues, because ignoring them (especially via (b)) sets everyone up for a fail. For instance, today it may be a constant format string, but tomorrow someone will introduce it as a settable configuration parameter. Given that pretty much all those cases can be solved by either %s or | __attribute__((__format__(__printf, 1, 2))); it|would||really look petulant to|insist on (a) or (b).| || -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 10:43 AM, Reindl Harald wrote: Am 06.12.2013 10:37, schrieb Ralf Corsepius: IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*] Yeah, a vulnerability - So what? I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs how should TmpOnTmpfs cause a vulerability? the opposite is true TmpOnTmpfs is magitudes smaller than a traditional /tmp on /. This causes programs/packages which are assuming an almost infinitely sized /tmp to easily fill up a small /tmp, and thus the system to choke. 2 Real world examples I've encountered with fedora 18 and 19: * https://bugzilla.redhat.com/show_bug.cgi?id=971878 This one usually kills an individual's system. * https://bugzilla.redhat.com/show_bug.cgi?id=1006658 This means one means using convert on webserver allows arbitrary users on the web to kill servers. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Am 06.12.2013 14:08, schrieb Ralf Corsepius: On 12/06/2013 10:43 AM, Reindl Harald wrote: Am 06.12.2013 10:37, schrieb Ralf Corsepius: IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*] Yeah, a vulnerability - So what? I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs how should TmpOnTmpfs cause a vulerability? the opposite is true TmpOnTmpfs is magitudes smaller than a traditional /tmp on / yes, i am also not a fan of this default, see the list-archives people who know and care about tmpfs did it long ago for their workloads the improved performance is a urban legend for common workloads This causes programs/packages which are assuming an almost infinitely sized /tmp to easily fill up a small /tmp, and thus the system to choke. which is not really a *security* problem that's why you should have not listed it in that context 2 Real world examples I've encountered with fedora 18 and 19: * https://bugzilla.redhat.com/show_bug.cgi?id=971878 This one usually kills an individual's system. see my comment https://bugzilla.redhat.com/show_bug.cgi?id=971878#c1 still not a security problem per se * https://bugzilla.redhat.com/show_bug.cgi?id=1006658 This means one means using convert on webserver allows arbitrary users on the web to kill servers if arbitary users are allowed to call CLI applications from a webserver you have a security problem and that is for sure *not* TmpOnTmpfs signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 02:07 PM, Przemek Klosowski wrote: On 12/05/2013 08:27 PM, Kevin Kofler wrote: The vast majority of those warnings are actually false positives, not actual security issues. Putting my upstream hat on, if asked to fix such a false positive, I'd do one of: (a) close the bug as INVALID/NOTABUG/WONTFIX or (b) hardcode -Wno-error=format-security -Wno-format-security in my build setup and close the bug as FIXED. They are potential security issues, because ignoring them (especially via (b)) sets everyone up for a fail. In case these errors are bogus? For instance, today it may be a constant format string, but tomorrow someone will introduce it as a settable configuration parameter. Given that pretty much all those cases can be solved by either %s or == Forcing C-coders to using a special coding style to silence a broken tools warning on what is legitimate and correct code? printf(string) is legitimate C, forcing printf(%s, string) is just silly. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 02:57 PM, Reindl Harald wrote: Am 06.12.2013 14:08, schrieb Ralf Corsepius: On 12/06/2013 10:43 AM, Reindl Harald wrote: Am 06.12.2013 10:37, schrieb Ralf Corsepius: IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*] Yeah, a vulnerability - So what? I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs how should TmpOnTmpfs cause a vulerability? the opposite is true TmpOnTmpfs is magitudes smaller than a traditional /tmp on / yes, i am also not a fan of this default, see the list-archives people who know and care about tmpfs did it long ago for their workloads the improved performance is a urban legend for common workloads This causes programs/packages which are assuming an almost infinitely sized /tmp to easily fill up a small /tmp, and thus the system to choke. which is not really a *security* problem In first place it's a denial of service problem. Once /tmp is filled up all kind of weird issues pop up and are causing all kind of malfunctions. 2 Real world examples I've encountered with fedora 18 and 19: * https://bugzilla.redhat.com/show_bug.cgi?id=971878 This one usually kills an individual's system. see my comment https://bugzilla.redhat.com/show_bug.cgi?id=971878#c1 still not a security problem per se Correct, it's a DOS problem. * https://bugzilla.redhat.com/show_bug.cgi?id=1006658 This means one means using convert on webserver allows arbitrary users on the web to kill servers if arbitary users are allowed to call CLI applications from a webserver ?!? Calling cli-tools underneath of webservices is the norm on many webservers. Often these calls are wrapped into scripting languages, be they perl, python or php. you have a security problem and that is for sure *not* TmpOnTmpfs TmpOnTmpfs opens opportunities for DOS attacks which do not exist with TmpOnFS. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/06/2013 12:26 PM, Dhiru Kholia wrote: On 12/06/13 at 11:57am, Reindl Harald wrote: but what is the plan if this does not work out for a unknown number of packages because upstream is not willing or able to fix it or only in a later release giving that the package is not buildable at all Contingency mechanism: Revert changes to redhat-rpm-config package and do a mass build. This would be a very rude abuse of governmental powers. https://fedoraproject.org/wiki/Changes/FormatSecurity#Contingency_Plan How about rowing back and bury this plan for the time being until GCC has become more reliable ? There is still plenty of time left before this flag is even enabled in rawhide configuration by default. IMO, this plan has failed - period. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote: QString line; line.fill( '-', 60 ); qDebug( line.ascii() ); As you can see, the format string being passed here is provably constant. So fix the compiler. - ajax -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Ralf Corsepius wrote: On 12/06/2013 12:26 PM, Dhiru Kholia wrote: There is still plenty of time left before this flag is even enabled in rawhide configuration by default. IMO, this plan has failed - period. +1 Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
PS: Przemek Klosowski wrote: | __attribute__((__format__(__printf, 1, 2))); is also compiler-specific, which some upstreams also won't like. Of course, it can be #ifdef-wrapped, but many upstreams try to avoid #ifdef as much as possible. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Przemek Klosowski wrote: Given that pretty much all those cases can be solved by either %s or | __attribute__((__format__(__printf, 1, 2))); pretty much all maybe, but not all! See e.g. the examples I have given in the FESCo ticket: * a printf wrapper for logging which adds a timestamp in front of the format string, e.g. log(processed %d items, foo); which would be printed as 2013-12-06 19:00:00: processed 123 items to some logfile (using vfprintf with a format string like 2013-12-06 19:00:00: processed %d items concatenated at runtime). * translatable format strings, e.g. printf(translate(processed %d items), foo); Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Adam Jackson wrote: On Fri, 2013-12-06 at 02:21 +0100, Kevin Kofler wrote: QString line; line.fill( '-', 60 ); qDebug( line.ascii() ); As you can see, the format string being passed here is provably constant. So fix the compiler. I don't think GCC will ever be able to prove that it is a constant. It would at least have to do intermodule inlining on the linked qstring.o to do that, which means qt3 would have to use the LTO support. Even then, I wouldn't count on it. Plus, if this construct were found in application code rather than in qt3 itself, GCC would even have to do the intermodule inlining on libqt-mt, which would also have negative consequences on binary compatibility. But knowing the contract of QString (Qt 3's in this case, but it's the same in Qt 4 and Qt 5), it's trivial for a human to prove it. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Ben Boeckel wrote: Use the printf attribute on the function to fix this. That doesn't work if I have to prepend a date to my format string. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
mrnuke (mr.nuke...@gmail.com) said: Because packagers will just ignore it [...] I think this is a childish argument, but let's take it. So what? You're going to start stepping on people's lawns and change things just because you want to impose your greater good? Wow, nice mixed metaphor. Package maintenance is not a person's private domain; it's where we're signing up to maintain things as part of a community *as a service to the users that use what we produce*. Now, people do have different views on how some of these things may be handled, but the goals of Fedora have never been to focus primarily on the convenience of the packager - that's rather shortsighted. The point is to ensure that the software we provide to *users* doesn't contain security holes due to accident, intransigence, or other reasons. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, Dec 6, 2013 at 4:50 PM, Ralf Corsepius rc040...@freenet.de wrote: On 12/06/2013 12:26 PM, Dhiru Kholia wrote: On 12/06/13 at 11:57am, Reindl Harald wrote: but what is the plan if this does not work out for a unknown number of packages because upstream is not willing or able to fix it or only in a later release giving that the package is not buildable at all Contingency mechanism: Revert changes to redhat-rpm-config package and do a mass build. This would be a very rude abuse of governmental powers. I don't understand how a plan for what to do if the change proves impossible or impractical is an abuse. There is still plenty of time left before this flag is even enabled in rawhide configuration by default. IMO, this plan has failed - period. Can we talk numbers instead of adjectives, please? Out of the ~400 packages (and much more cases of the warning), I have reviewed about 10 prior to voting on this, and _all_ were incorrect (not necessarily insecure, but incorrect). So far I've seen precisely 3 cases (not 3 packages) where there was a false positive (a printf format with a provably constant string). How prevalent is this really? If we ended up with -Werror=... _completely eliminating_ a class of programming bugs, now and for the future, and the cost were that ~5 packages out of 10k needed a workaround, that would be well worth it IMHO. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, Dec 06, 2013 at 07:57:04PM +0100, Kevin Kofler wrote: Ralf Corsepius wrote: On 12/06/2013 12:26 PM, Dhiru Kholia wrote: There is still plenty of time left before this flag is even enabled in rawhide configuration by default. IMO, this plan has failed - period. +1 In the meantime, some of us fixed reported issues, got the patch merged upstream and rebuild affected packages. -- Tomasz Torcz Never underestimate the bandwidth of a station xmpp: zdzich...@chrome.plwagon filled with backup tapes. -- Jim Gray -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, Dec 6, 2013 at 8:02 PM, Kevin Kofler kevin.kof...@chello.at wrote: See e.g. the examples I have given in the FESCo ticket: * a printf wrapper for logging which adds a timestamp in front of the format string, e.g. log(processed %d items, foo); which would be printed as 2013-12-06 19:00:00: processed 123 items to some logfile (using vfprintf with a format string like 2013-12-06 19:00:00: processed %d items concatenated at runtime). Yes, this is a legitimate problem. (A workaround would be to do vfprintf with the original format string and _then_ concatenate, and I agree that it's not quite satisfactory.) I'm guessing that this is a fairly unusual way to implement this functionality - but I don't have data. * translatable format strings, e.g. printf(translate(processed %d items), foo); __attribute__ ((format_arg)), which is how gcc already knows about gettext(). (Actually, the logging wrapper case might also be solvable by doing the concatenation in a function with this atttribute... I'm not sure that it's much better.) Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, Dec 06, 2013 at 08:02:06PM +0100, Kevin Kofler wrote: * translatable format strings, e.g. printf(translate(processed %d items), foo); Translatable strings are handled just fine. Try e.g.: extern int my_printf (void *my_object, const char *my_format, ...) __attribute__ ((format (printf, 2, 3))); extern char *my_dgettext (char *my_domain, const char *my_format) __attribute__ ((format_arg (2))); void *p; char *q; void foo () { my_printf (p, my_dgettext (q, abcd)); } e.g. libintl.h already uses the right attributes, so you don't get errors for this. Jakub -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote: Michael scherer wrote: Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? The vast majority of those warnings are actually false positives, not actual security issues. Putting my upstream hat on, if asked to fix such a false positive, I'd do one of: (a) close the bug as INVALID/NOTABUG/WONTFIX or (b) hardcode -Wno-error=format-security -Wno-format-security in my build setup and close the bug as FIXED. Additionally, some code (like my package, qpid-cpp) uses code that's generated by another app like Swig. We have no control over what that code is. So enabling this as an error would be unresolvable by our project and we'd be blocked until the Swig team decided to change their code generation bits. -- Darryl L. Pierce mcpie...@gmail.com http://mcpierce.fedorapeople.org/ What do you care what people think, Mr. Feynman? pgp8crJQn5N10.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, 2013-12-06 at 15:06 -0500, Darryl L. Pierce wrote: On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote: Michael scherer wrote: Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? The vast majority of those warnings are actually false positives, not actual security issues. Putting my upstream hat on, if asked to fix such a false positive, I'd do one of: (a) close the bug as INVALID/NOTABUG/WONTFIX or (b) hardcode -Wno-error=format-security -Wno-format-security in my build setup and close the bug as FIXED. Additionally, some code (like my package, qpid-cpp) uses code that's generated by another app like Swig. We have no control over what that code is. So enabling this as an error would be unresolvable by our project and we'd be blocked until the Swig team decided to change their code generation bits. So have you filed a bug against swig yet? ;) [ideally, attaching an example of the problematic generated code, and the inputs] Dave -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Thu, Dec 05, 2013 at 07:40:36PM -0600, mrnuke wrote: On 12/05/2013 11:38 AM, Michael scherer wrote: On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote: This change is Sofa King stupid. Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. Because packagers will just ignore it [...] I think this is a childish argument, but let's take it. So what? You're going to start stepping on people's lawns and change things just because you want to impose your greater good? In fact, I already do, I add checks in rpmlint for what I think to the greater good. And in other times and places, I even forced people to fix some rpmlint errors in their packages, just based on my own judgement, or their packages would not be uploaded. And while you may think this is childish, I have some data to back my assertion that some people ignore until there is a enforcement. For example, I have seen no one except me requesting CVE for potential security problems that rpmlint do see since 6 months ( missing-call-to-setgroups-before-setuid, missing-call-to-chdir-with-chroot ). Even during reviews, that's just ignored because this is not mandatory to fix ( for example https://bugzilla.redhat.com/show_bug.cgi?id=976770 ). ( and I did a run on the whole set of Fedora packages, so I know that I was not lucky and found the only single rpm with a problem ). Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? -Werror is not needed for communication. It is not about communication. This is about a small group of people imposing their MY WAY!!!. Like there is a small group of people imposing packages guidelines, so I fail to see your point exactly. [...] really fail to see why there is people complaining. You run the assumption that all upstreams are paradise, heavenly, and friendly. And you also run the assumption that upstreams will never introduce such bugs in the future, never leaving packagers with the headache of patching things up. That's already part of the life of packagers. For example, suddenly, gcc decide to be stricter and suddenly, some VCS written in C++ decide to not compile anymore, so you have to spend 1 full day just to make it compile. ( of course, totally fictious example that didn't happen to me several years ago ). There is enough software not building anymore and dropped after mass rebuild to show that such problem are not really so uncommon. -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Am 06.12.2013 15:59, schrieb Ralf Corsepius: On 12/06/2013 02:57 PM, Reindl Harald wrote: if arbitary users are allowed to call CLI applications from a webserver ?!? Calling cli-tools underneath of webservices is the norm on many webservers. Often these calls are wrapped into scripting languages, be they perl, python or php. what ?!? if you allow call any CLI command on a webserver you have a serious problem - period in case of PHP open_basedir is your friend and without disable_functions it is completly worthless, so don't mix wrong configured webservers with the topic disable_functions = apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid, getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system you have a security problem and that is for sure *not* TmpOnTmpfs TmpOnTmpfs opens opportunities for DOS attacks which do not exist with TmpOnFS if i have to chose between a *self* DOS because wrong webserver-capabilities and code execution what -Werror=format-security should prevent from i take the DOS and on a sane configured webserver you have a dedicated /tmp partition what means TmpOnTmpfs doesn not matter at all signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
fre 2013-12-06 klockan 15:06 -0500 skrev Darryl L. Pierce: On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote: Michael scherer wrote: Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? The vast majority of those warnings are actually false positives, not actual security issues. Putting my upstream hat on, if asked to fix such a false positive, I'd do one of: (a) close the bug as INVALID/NOTABUG/WONTFIX or (b) hardcode -Wno-error=format-security -Wno-format-security in my build setup and close the bug as FIXED. Additionally, some code (like my package, qpid-cpp) uses code that's generated by another app like Swig. We have no control over what that code is. So enabling this as an error would be unresolvable by our project and we'd be blocked until the Swig team decided to change their code generation bits. Don't use swig as an excuse not to fix things. Of all the packages I maintain, only one was affected by this issue. That one was easily solvable by deleting the bundled swig generated code in the sources and have the build regenerate it with a newer swig version that doesn't produce broken code. My other packages once used to have quite a few of these, but since Debian has had -Werror=format-security as the default for quite some time now those were already fixed in order to compile on Debian. So adding this as the default for Fedora now will not nearly be as disruptive as it was when it was added as a default on Debian. We are coming late to the game here. Mattias smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/07/2013 03:39 AM, Reindl Harald wrote: Am 06.12.2013 15:59, schrieb Ralf Corsepius: On 12/06/2013 02:57 PM, Reindl Harald wrote: if arbitary users are allowed to call CLI applications from a webserver ?!? Calling cli-tools underneath of webservices is the norm on many webservers. Often these calls are wrapped into scripting languages, be they perl, python or php. what ?!? if you allow call any CLI command on a webserver you have a serious problem - period Have a nice life - End of Thread. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? Even if you could prove that a % can never occur in any of these strings, so that the error can't even cause a crash in any of these cases, there is still a bit of performance to be gained in many cases. Why waste cycles looking for a % in every position in a long string when you know there aren't supposed to be any formatting codes? Björn Persson signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 10:26 AM, Björn Persson wrote: Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? I believe to be able to prove GCC is producing bogus warnings: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1037293 (This is a trimmed down example of a real world case). AFAIU Jacub, the only issue with this code is GCC hitting is implementation limitations, which is causing it to produce a bogus warning/error. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 11:00 AM, Ralf Corsepius wrote: On 12/05/2013 10:26 AM, Björn Persson wrote: Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? I believe to be able to prove GCC is producing bogus warnings: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1037293 (This is a trimmed down example of a real world case). The offending line is this: fprintf(fp, endfmt); endfmt is not a string literal, so the warning is correct in the sense that it provides the intended diagnostic. GCC could perhaps do better in some cases, but not without relying on the optimizers. -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 02:15 PM, Florian Weimer wrote: On 12/05/2013 11:00 AM, Ralf Corsepius wrote: On 12/05/2013 10:26 AM, Björn Persson wrote: Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? I believe to be able to prove GCC is producing bogus warnings: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1037293 (This is a trimmed down example of a real world case). The offending line is this: fprintf(fp, endfmt); endfmt is not a string literal, Right, but it is a constant and is never going to be modified. so the warning is correct in the sense that it provides the intended diagnostic. GCC could perhaps do better in some cases, but not without relying on the optimizers. Well, a matter of point of view. As I see it, GCC's -Wformat-security is too unreliable to be used in production. It certainly diagnoses valid security leaks in some cases, but all it does in other cases is to enforce stylishness to work outs GCC's limitations. I.e. in these case it effectively only causes churn. I.e. I see sense in adding it to %optflags as a warning (-W...), but raising this warning to an error (-Werror=...) at this point in time qualifies as not helpful. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 07:38 AM, Ralf Corsepius wrote: As I see it, GCC's -Wformat-security is too unreliable to be used in production. It certainly diagnoses valid security leaks in some cases, but all it does in other cases is to enforce stylishness to work outs GCC's limitations. I.e. in these case it effectively only causes churn. I.e. I see sense in adding it to %optflags as a warning (-W...), but raising this warning to an error (-Werror=...) at this point in time qualifies as not helpful. +1 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
- Original Message - From: mrnuke mr.nuke...@gmail.com To: devel@lists.fedoraproject.org Sent: Thursday, December 5, 2013 3:37:14 PM Subject: Re: FTBFS if -Werror=format-security flag is used On 12/05/2013 07:38 AM, Ralf Corsepius wrote: As I see it, GCC's -Wformat-security is too unreliable to be used in production. It certainly diagnoses valid security leaks in some cases, but all it does in other cases is to enforce stylishness to work outs GCC's limitations. I.e. in these case it effectively only causes churn. I.e. I see sense in adding it to %optflags as a warning (-W...), but raising this warning to an error (-Werror=...) at this point in time qualifies as not helpful. +1 I think the point of turning the warning into explicit error is to intentionally make the package / source build failing to indicate there's an error present somewhere in the code and that it should be fixed. Better to be safe than sorry (in this context better to fix all known format string flaws ahead rather to wait till someone actually takes the time and effort to show it's exploitable [like in the mentioned sudo case already]). In that scenario it will need to be fixed anyway (and possibly yet in more hurry than it's now). Just my 2 cents. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 03:25 AM, mrnuke wrote: On 12/04/2013 12:10 PM, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Good or not, this is not the right question to ask. * Is this necessarry, and are the benefits worth the pains? * This change is Sofa King stupid. I think the F in Fedora doesn't standard for this particular word. :( Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. For the current stage (filing bugs for known failures), it does not make much of a difference how the data is obtained about future build failures. Filing bugs seems reasonable for tracking purposes. -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 4, 2013 at 7:29 PM, Daniel P. Berrange berra...@redhat.com wrote: On Wed, Dec 04, 2013 at 07:10:39PM +0100, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? If you read the bug description you'll see the link which answers your question. https://fedoraproject.org/wiki/Format-Security-FAQ Interesting, for me almost, that many refs are from debian/ubuntu world. Best Regards Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote: On 12/04/2013 12:10 PM, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Good or not, this is not the right question to ask. * Is this necessarry, and are the benefits worth the pains? * This change is Sofa King stupid. Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. Because packagers will just ignore it like some currently ignore rpmlint or various checks, and in turn this just produce noises for anyone looking to see if something need to be fixed or not. There is also the case where the code look fine, so you start to ignore the warning, then upstream change the code, and now, this is exploitable and problematic, but since people stop to cared about it, no one know until someone exploit it. Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? This is not a issue for Debian and Ubuntu, this was not for Mandriva and Mageia when similar changes have been enforced and usually, most upstream are receptive, so i really fail to see why there is people complaining. -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 10:09:43PM +0100, devzero2000 wrote: Interesting, for me almost, that many refs are from debian/ubuntu world. Well, that's the convenience of being late to the party. The majority of the work was already done by other distros and we can build upon that. In other cases Fedora is first and the other distros have the ability to rely on our painfully gathered experience. That's a good thing. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 06:38 PM, Michael scherer wrote: On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote: On 12/04/2013 12:10 PM, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Good or not, this is not the right question to ask. * Is this necessarry, and are the benefits worth the pains? * This change is Sofa King stupid. Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. Exactly. IMO, the appropriate step would be to add -Wformat-security (Note: -W, not -Werror) to %optflags to draw the maintainers attention to it and then be done with it. Because packagers will just ignore it like some currently ignore rpmlint or various checks, and in turn this just produce noises for anyone looking to see if something need to be fixed or not. Would you mind to explain why you guys are putting such an emphasize on -Wformat-security? Sure, there are some serious cases, but ... there are many more further spread issues in C/C++-sources which people have been ignoring ever since Fedora and RH Linux distros exist. IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? This is not a issue for Debian and Ubuntu, Do these distros meanwhile have consistent CFLAGS? Last time, I checked (ca. a year ago) none such thing existed in Debian nor Ubuntu packages. this was not for Mandriva and Mageia when similar changes have been enforced and usually, most upstream are receptive, so i really fail to see why there is people complaining. With all due respect to these distros, but does this really need to be explained? Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 11:56:23PM +0100, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? Uhm, I just took a look at the hydrogen source. The problem with it is that it's not at all obvious that the f?printf calls can't lead to bad things happening. This is not a case of GCC failing to account for some trivial indirection. Fix it, please. Really, you should. Lars -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
- Original Message - On Wed, Dec 04, 2013 at 05:11:16PM -0600, Ian Pilcher wrote: On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? With -D_FORTIFY_SOURCE=2 the program is aborted, unless the string resides in read-only memory ;) While this response is likely meant to be a bit snarky, I'd like to explain this a bit more. The idea here is we have multiple layers of defense. We don't have to only worry about one technology. They fail from time to time, so you make sure you have a backup, and a backup of the backup, and so on. We never want to rely on one security technology to solve our problems, so we combine several. It also helps us future proof the code. Things can change in the future, by making wise decisions today we can avoid some pain tomorrow. There is also a bigger idea of making sure developers think about what they're doing. If you just smash out a printf(foo), you don't have to give the type of foo a second thought. The thinking is that if you add an extra step, it will hopefully remind the developer to think about what they're doing for a second (and hopefully prevent a bug). This is of course subjective, I can't prove it's the case. And lastly, while you can't execute arbitrary code with a %n these days (in theory), you can cause a denial-of-service, which often isn't ideal either. Thanks. -- Josh Bressers / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 11:56:23PM +0100, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? To expand on my earlier mail: the printf usage in hydrogen is definitely horribly wrong. Basically all logging output is passed through these calls and might contain data from all kinds of sources, be it file names or various metadata. Want to see it crash? Crank up the log level (-VInfo does it) and pick save library from the menu. Enter some printf format specifiers (%s or something) in the name or author field. Segmentation fault (core dumped) Oops. Valgrind had this to say: Process terminating with default action of signal 11 (SIGSEGV) General Protection Fault at 0x863508F: vfprintf (vfprintf.c:1635) by 0x86F0600: __printf_chk (printf_chk.c:35) by 0x584360: loggerThread_func(void*) (stdio2.h:104) by 0x4E38F32: start_thread (pthread_create.c:309) by 0x86E0EAC: clone (clone.S:111) loggerThread_func? You'll find that in object.cpp. The crashing printf call is on line 242. But you know that already, as Dhiru wrote it in the bug report for your package. I'm sure someone more determined than me might find all sorts of ways to make use of these flaws that are not in the interest of hydrogen's users. Lars -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Thu, Dec 05, 2013 at 07:11:19PM +0100, Ralf Corsepius wrote: Sure, there are some serious cases, but ... there are many more further spread issues in C/C++-sources which people have been ignoring ever since Fedora and RH Linux distros exist. IMO, -Wformat-security is almost negibile in comparison to these and you are making way too much noise about it than it deserves. C/C++ sucks and it's sad that developers won't use more reliable languages and techniques. However, *given* that there exists a lot of C/C++ code that we'd like to run, it's better to try to harden it than to give up. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Let me reproduce here for a wider audience my comments I have just posted in the FESCo ticket: IMHO, turning this warning into an error is a horribly flawed idea. It just has way too many false positives. For example, here's the snippet it complains about in Qt 3: QString line; line.fill( '-', 60 ); qDebug( line.ascii() ); As you can see, the format string being passed here is provably constant. The code just avoids spelling out 60 dashes. Using -Werror=anything is always a bad idea. Expecting maintainers to actually go and patch the code for false positives rather than just adding -Wno-error=format-security is also unrealistic. There are also valid uses of variable format strings which cannot simply be fixed by adding a %s (because they're actual format strings), think e.g. a printf wrapper for logging which adds a timestamp in front of the format string. Format strings could also be translatable. This flag makes our compiler no longer comply to the C/C++ standards and breaks valid and perfectly secure code. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Michael scherer wrote: Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? The vast majority of those warnings are actually false positives, not actual security issues. Putting my upstream hat on, if asked to fix such a false positive, I'd do one of: (a) close the bug as INVALID/NOTABUG/WONTFIX or (b) hardcode -Wno-error=format-security -Wno-format-security in my build setup and close the bug as FIXED. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 09:41 AM, Florian Weimer wrote: For the current stage (filing bugs for known failures), it does not make much of a difference how the data is obtained about future build failures. Filing bugs seems reasonable for tracking purposes. The FESCO ticket is about enabling -Werror=formatfoo. by default for *all* packages. Enabling warnings is fine, filing bugs is fine, but turning this into an error is not. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Jan Lieskovsky wrote: I think the point of turning the warning into explicit error is to intentionally make the package / source build failing to indicate there's an error present somewhere in the code and that it should be fixed. But in many cases there actually ISN'T any error to begin with! Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 11:38 AM, Michael scherer wrote: On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote: This change is Sofa King stupid. Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. Because packagers will just ignore it [...] I think this is a childish argument, but let's take it. So what? You're going to start stepping on people's lawns and change things just because you want to impose your greater good? Let's rather ask the contrary, why is this so much a issue to communicate with upstream to fix things, and add patches ? -Werror is not needed for communication. It is not about communication. This is about a small group of people imposing their MY WAY!!!. [...] really fail to see why there is people complaining. You run the assumption that all upstreams are paradise, heavenly, and friendly. And you also run the assumption that upstreams will never introduce such bugs in the future, never leaving packagers with the headache of patching things up. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Fri, 06 Dec, 2013 at 01:21:20 GMT, Kevin Kofler wrote: a printf wrapper for logging which adds a timestamp in front of the format string. Use the printf attribute on the function to fix this. See stalonetray's patch[1]. It can't be done portably with a macro (you need ## __VA_ARGS__ for that, so it should be a function anyways). --Ben [1]https://pkgs.fedoraproject.org/cgit/stalonetray.git/tree/stalonetray-0.8.1--Werror-format-security.patch -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 03:25 AM, mrnuke wrote: On 12/04/2013 12:10 PM, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Good or not, this is not the right question to ask. * Is this necessarry, and are the benefits worth the pains? * This change is Sofa King stupid. Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. Alex Agree. Failing on this warning IS stupid. We are trying to exclude developers from Fedora? Trivial to fix sure, but surely there is better use of our time. I would much rather spend time on fixing real bugs with upstream than this -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 07:10:39PM +0100, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? If you read the bug description you'll see the link which answers your question. https://fedoraproject.org/wiki/Format-Security-FAQ Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/04/2013 07:29 PM, Daniel P. Berrange wrote: On Wed, Dec 04, 2013 at 07:10:39PM +0100, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? If you read the bug description you'll see the link which answers your question. https://fedoraproject.org/wiki/Format-Security-FAQ Daniel I'm sorry, but I can't see why any of my packages (10+) are at risk -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Hi On Wed, Dec 4, 2013 at 1:45 PM, Brendan Jones wrote: I'm sorry, but I can't see why any of my packages (10+) are at risk This is just a best practice to mitigate any risks that might exist just like any of the other security improvements we make from time to time. Even if you don't see any immediate benefits, there is no harm in following the appropriate guidelines here. Coordinate with upstream Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/04/2013 07:59 PM, Rahul Sundaram wrote: Hi On Wed, Dec 4, 2013 at 1:45 PM, Brendan Jones wrote: I'm sorry, but I can't see why any of my packages (10+) are at risk This is just a best practice to mitigate any risks that might exist just like any of the other security improvements we make from time to time. Even if you don't see any immediate benefits, there is no harm in following the appropriate guidelines here. Coordinate with upstream Rahul Overkill if you ask me, Brendan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
Hi On Wed, Dec 4, 2013 at 3:05 PM, Brendan Jones wrote: Overkill if you ask me, It might be appear to be one till it ends up avoiding or mitigating a security issue. It is just a bunch of trivial changes and I am sure you can ask for help for patches if needed. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/04/2013 09:39 PM, Rahul Sundaram wrote: Hi On Wed, Dec 4, 2013 at 3:05 PM, Brendan Jones wrote: Overkill if you ask me, It might be appear to be one till it ends up avoiding or mitigating a security issue. It is just a bunch of trivial changes and I am sure you can ask for help for patches if needed. Rahul Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 11:56:23PM +0100, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? Google for sudo format string exploit Yours Tony pgpit7eFTE85S.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? -- Ian Pilcher arequip...@gmail.com Sent from the cloud -- where it's already tomorrow -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 04, 2013 at 05:11:16PM -0600, Ian Pilcher wrote: On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? With -D_FORTIFY_SOURCE=2 the program is aborted, unless the string resides in read-only memory ;) Jakub -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 12:11 AM, Ian Pilcher wrote: On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? I remain unconvinced. Exploit my system with one of ams, aubio, hydrogen, jack-keyboard, phasex, portmidi or yoshimi. I just can't see it -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Thu, Dec 5, 2013 at 12:11 AM, Brendan Jones brendan.jones...@gmail.com wrote: On 12/05/2013 12:11 AM, Ian Pilcher wrote: On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? I remain unconvinced. Exploit my system with one of ams, aubio, hydrogen, jack-keyboard, phasex, portmidi or yoshimi. I just can't see it Suppose I create a malicious drumkit and either get it uploaded to one of the officially recommended links at http://www.hydrogen-music.org/hcms/node/16 , or even just attach it in bugzilla to a bug report saying that the Fedora hydrogen package crashes or otherwise mishandles that file (causing _you_ personally to open that file, even if in a debugger)? Note that I _don't really know_ whether this is exploitable with hydrogen; though the incorrect format strings being in a class named Object does suggest that the affected input paths may be pretty widespread. Even if this weren't a security issue (or it were already mitigated by _FORTIFY_SOURCE), it's a simple correctness issue: the program's output should be correct, and the program should not abort just because 100%new happens to appear in a string. As long as it it's worth it to have software packaged in Fedora it's not unnecessary to fix bugs IMHO. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/05/2013 12:28 AM, Miloslav Trmač wrote: On Thu, Dec 5, 2013 at 12:11 AM, Brendan Jones brendan.jones...@gmail.com wrote: On 12/05/2013 12:11 AM, Ian Pilcher wrote: On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? I remain unconvinced. Exploit my system with one of ams, aubio, hydrogen, jack-keyboard, phasex, portmidi or yoshimi. I just can't see it Suppose I create a malicious drumkit and either get it uploaded to one of the officially recommended links at http://www.hydrogen-music.org/hcms/node/16 , or even just attach it in bugzilla to a bug report saying that the Fedora hydrogen package crashes or otherwise mishandles that file (causing _you_ personally to open that file, even if in a debugger)? Note that I _don't really know_ whether this is exploitable with hydrogen; though the incorrect format strings being in a class named Object does suggest that the affected input paths may be pretty widespread. Probably a bad example. I guess its another case of educating upstream. They love that -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On Wed, Dec 4, 2013 at 3:54 PM, Brendan Jones brendan.jones...@gmail.com wrote: On 12/05/2013 12:28 AM, Miloslav Trmač wrote: On Thu, Dec 5, 2013 at 12:11 AM, Brendan Jones brendan.jones...@gmail.com wrote: On 12/05/2013 12:11 AM, Ian Pilcher wrote: On 12/04/2013 04:56 PM, Brendan Jones wrote: Patching is not a problem. Unnecessary is the question. Explain to me (not you in particular Rahul) how these printf's can possibly be exploited? char *output; output = get_user_input(...); printf(output); What happens when the user enters %n? I remain unconvinced. Exploit my system with one of ams, aubio, hydrogen, jack-keyboard, phasex, portmidi or yoshimi. I just can't see it Suppose I create a malicious drumkit and either get it uploaded to one of the officially recommended links at http://www.hydrogen-music.org/hcms/node/16 , or even just attach it in bugzilla to a bug report saying that the Fedora hydrogen package crashes or otherwise mishandles that file (causing _you_ personally to open that file, even if in a debugger)? Note that I _don't really know_ whether this is exploitable with hydrogen; though the incorrect format strings being in a class named Object does suggest that the affected input paths may be pretty widespread. Probably a bad example. I guess its another case of educating upstream. They love that It's really a trivial fix. In some of my packages it was already patched upstream. Regardless of whether or not you are convinced or anyone else for that matter, possible security flaws should always be patched whether or not they are probably or improbable. Dan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FTBFS if -Werror=format-security flag is used
On 12/04/2013 12:10 PM, Brendan Jones wrote: This is just a pain. Can someone explain to me why this is good? Good or not, this is not the right question to ask. * Is this necessarry, and are the benefits worth the pains? * This change is Sofa King stupid. Why couldn't we have just enabled the warning without turning it into an error, THEN let packagers work with upstream in fixing those warnings? Regulate, not ban. Alex -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct